CVE-2021-37136

Q: What is the severity of CVE-2021-37136?

CVE-2021-37136 has a CVSS score of 7.5 (HIGH). CVE-2021-37136 is a denial-of-service vulnerability in Netty's Bzip2Decoder that allows attackers to trigger out-of-memory errors by sending specially crafted Bzip2 compressed data. The vulnerability affects all users of Netty's Bzip2Decoder component. Attackers can cause service disruption by exhausting system memory through uncontrolled decompression.

7.5 HIGH

Denial of Service

📋 TL;DR

CVE-2021-37136 is a denial-of-service vulnerability in Netty's Bzip2Decoder that allows attackers to trigger out-of-memory errors by sending specially crafted Bzip2 compressed data. The vulnerability affects all users of Netty's Bzip2Decoder component. Attackers can cause service disruption by exhausting system memory through uncontrolled decompression.

💻 Affected Systems

Products:

Netty
Apache Druid (uses Netty)
Other applications using Netty's Bzip2Decoder

Versions: Netty versions 4.1.0 through 4.1.65.Final

Operating Systems: All operating systems running affected Netty versions

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using Netty's Bzip2Decoder without custom size restrictions is vulnerable. Apache Druid versions before 0.22.0 are affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage due to out-of-memory conditions causing application crashes and system instability.

🟠

Likely Case

Service disruption and degraded performance as systems struggle with memory exhaustion from malicious decompression requests.

🟢

If Mitigated

Controlled memory usage with proper input validation and size restrictions preventing successful exploitation.

🌐 Internet-Facing: HIGH - Attackers can send malicious payloads directly to exposed services using Bzip2 decompression.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this, but requires access to services using vulnerable Netty components.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted Bzip2 data to vulnerable endpoints. The vulnerability is well-documented in public advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Netty 4.1.66.Final and later

Vendor Advisory: https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv

Restart Required: Yes

Instructions:

1. Update Netty dependency to version 4.1.66.Final or later. 2. For Apache Druid, update to version 0.22.0 or later. 3. Rebuild and redeploy affected applications. 4. Restart services using the updated libraries.

🔧 Temporary Workarounds

Implement custom decompression size limits

all

Add size restrictions to Bzip2Decoder usage in application code

// Java example: new Bzip2Decoder(maxLength)

Disable Bzip2 decompression

all

Remove or disable Bzip2Decoder usage if not required

Remove Bzip2Decoder from pipeline configuration

🧯 If You Can't Patch

Implement network-level controls to filter or limit Bzip2 compressed data
Deploy memory monitoring and alerting to detect out-of-memory conditions

🔍 How to Verify

Check if Vulnerable:

Check Netty version in dependencies: grep -r 'netty.*4\.1\.[0-6][0-5]' pom.xml build.gradle

Check Version:

java -cp netty-all-*.jar io.netty.util.Version

Verify Fix Applied:

Verify Netty version is 4.1.66.Final or later: mvn dependency:tree | grep netty

📡 Detection & Monitoring

Log Indicators:

OutOfMemoryError in application logs
High memory usage spikes
Application crashes during decompression

Network Indicators:

Unusually large Bzip2 compressed payloads
Multiple decompression requests to vulnerable endpoints

SIEM Query:

source="application.logs" AND ("OutOfMemoryError" OR "java.lang.OutOfMemoryError") AND process="*netty*"

📊 Metadata

CVE ID: CVE-2021-37136

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: October 19, 2021

Last Updated: November 21, 2024

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Banking Apis by Oracle

Banking Apis by Oracle

Banking Apis by Oracle

Banking Apis by Oracle

Banking Apis by Oracle

Banking Digital Experience by Oracle

Banking Digital Experience by Oracle

Banking Digital Experience by Oracle

Banking Digital Experience by Oracle

Banking Digital Experience by Oracle

Banking Digital Experience by Oracle

Banking Digital Experience by Oracle

Coherence by Oracle

Coherence by Oracle

Commerce Guided Search by Oracle

Communications Brm Elastic Charging Engine by Oracle

Communications Brm Elastic Charging Engine by Oracle

Communications Cloud Native Core Binding Support Function by Oracle

Communications Cloud Native Core Binding Support Function by Oracle

Communications Cloud Native Core Network Slice Selection Function by Oracle

Communications Cloud Native Core Policy by Oracle

Communications Cloud Native Core Security Edge Protection Proxy by Oracle

Communications Cloud Native Core Unified Data Repository by Oracle

Communications Diameter Signaling Router by Oracle

Communications Instant Messaging Server by Oracle

Debian Linux by Debian

Debian Linux by Debian

Helidon by Oracle

Helidon by Oracle

Netty by Netty

Oncommand Insight by Netapp

Peoplesoft Enterprise Peopletools by Oracle

Peoplesoft Enterprise Peopletools by Oracle

Peoplesoft Enterprise Peopletools by Oracle

Peoplesoft Enterprise Peopletools by Oracle

Quarkus by Quarkus

Webcenter Portal by Oracle

Webcenter Portal by Oracle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Implement custom decompression size limits

Disable Bzip2 decompression

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities